Readers React to Rant on SaaS for Insurance

When I penned my recent rant on the inadvisability (at least at present) of SaaS for core systems in insurance, little did I know I would hear from some enthusiastic fans eager to sing the virtues of SaaS.

In that particular blog, “Is SaaS a Viable Option for Core Insurance Systems?,” I opined: “So, are insurers likely to embrace SaaS for their core offerings? Probably not at this point. I must add, however, that SaaS vendors are working hard at mitigating the potential problems with their systems and their paradigm. It will probably take more of this work—and a more risk-friendly economic climate—to convince many insurers to choose the option for critical systems. But it is not out of the realm of possibility.”

Indeed, some see the possibility as closer than I believe it to be. One reader pointed out that “certain blocks of business supported by some core systems hold different strategic priority and/or risk profiles with an insurance carrier.” I think the key word here is “supported.” In other words, we’re not talking about true core systems. Certainly, if a block of business has a lower priority, insurers will be far less nervous about SaaS applications connected with that business. Still, this is not the same as wrapping true core systems in a SaaS paradigm. The reader’s suggestion gets us a little closer to core insurance systems, but not quite there—which is really my point.

The same reader believes it is “perfectly reasonable for a company to consider a SaaS solution for a block of business that is non-strategic or niche or when the economics dictate.” I can’t disagree with that, but even there, the basic instability and insecurity of the Internet are troublesome factors, especially in today’s highly interconnected enterprises. The bad guys could still enter through an innocuous door (non-strategic systems delivered via SaaS) then gain access to the data treasure vault (the core). To prevent this, these low-priority systems would need to be quarantined from core systems, a situation which would likely hamper their functionality.

Another reader points out that SaaS comes in “several flavors,” some of which feature a development platform and/or allow extensive customization. That certainly answers some of the objections to SaaS, but the security issue remains. This reader asserts that, “SaaS security is the responsibility of the customer,” and I agree. It was never my idea for SaaS vendors to provide security platforms. My point is not that SaaS applications are insecure, but that the Internet—the channel through which they are delivered—is very insecure.

A third reader summarized the situation nicely: “While SaaS providers have found different ways to [allay] the industry’s fear for security, some today are believers [but] most are still on the fence. Version and functionality control along with customization seems to be less of a worry for the SaaS providers,” he notes, but he adds that full acceptance of this delivery channel for core systems in the insurance industry is “still some way off.”